Poll: MN Operators, please respond

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)


  • Total voters
    72
That's not really the point. Even if you distribute between 8 cloud services, they're all sitting on public IPs and mostly on US soil. What would it take to effectively take 3700 servers offline? - not much.

They could, with some serious efforts, take the 1200 US-based servers offline, which, by the way, could move somewhere else if needed. Maybe some more if you count US-based hosting companies.

The other 2000-something servers are outside of the US.

And, even when Americans often forget this, US-law does not apply in most of the civilized world.
 
They could, with some serious efforts, take the 1200 US-based servers offline, which, by the way, could move somewhere else if needed. Maybe some more if you count US-based hosting companies.

The other 2000-something servers are outside of the US.

And, even when Americans often forget this, US-law does not apply in most of the civilized world.

Yes I agree. When I setup my MNs, I purposely diversified and I didn't put them on cloud services, and I also spent a long time trying to find reliable hosts, even though that means less profit... and finding reliable hosts is so much harder than it sounds.
 
I am not a Master Node, but I voted.

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *
    Yes, all MNs anonymized
    14 vote(s)
    35.9%
  2. Yes, but MNOs choose IP based or anonymous
    13 vote(s)
    33.3%
  3. No, all MNs should run on public IPs
    12 vote(s)
    30.8%

The only way to compel core developers is to run Master Nodes that do not run their software, but (of course) they are complient to the Dash protocol.

Which means that Master Nodes should ΝΟΤ respect the decision:

"Masternode operators SHOULD be running 0.12.0.56 or greater!"
 
Last edited by a moderator:
I'm completely for MN anonymization in principle but I'm not sure if this is actually doable. Imo to do so we'd have to move the whole network to i2p (not sure if tor is applicable for this purpose at all). I mean not only (some of) masternodes but every single node/wallet out there because otherwise hidden part of the network will not be reachable by normal users (i.e. it will be useless for them) afaik. Of course we could use some bridges sitting on the edge of two networks and relaying messages back and forth but that would weaken network imo - instead of heaving 3500 connection points you'd end up with.. how many? 20? 200? Who will maintain them and why? You can't run them on masternodes because this will make no sense in terms of MNs' anonymization so there should be some volunteers who run them. Or should they be "sponsored" via blockchain maybe? Anyway, having that small number of reachable nodes... You know what will happen then? "DASH IS CENTRALIZED!!" and all that kind of stuff :wink:
I don't know of any good solution so far.


Those who voted in favor of Master node anonymization, they have to answer the above quote.
Otherwise, even if a decision in favor of anonymity is taken, this decision cannot be implemented.

The core developer does not know any good solution so far. Does anyone know?
 
Last edited by a moderator:
Although I voted for complete anonymity, I think the solution is:

Yes, but MNOs choose IP based or anonymous

And the IP based Masternodes should be forced by the protocol to behave also as reverse proxies to the anonymous nodes.

Of course we could use some bridges sitting on the edge of two networks and relaying messages back and forth but that would weaken network imo - instead of heaving 3500 connection points you'd end up with.. how many? 20? 200? Who will maintain them and why? You can't run them on masternodes because this will make no sense in terms of MNs' anonymization so there should be some volunteers who run them.

So the answer is, of course we can run them on masternodes! Developers should create two types of masternodes, the anonymous ones and the IPbased ones (that are forced by the protocol to behave as reverse proxies to the anonymous ones).

It is important always to maintain both anonymous and IPbased Master nodes. Because in case the IPbased master nodes are attacked somehow, the network will remain alive and will be able to recover.
You could even force by the protocol for a percentage to be anonymous, and for another percentage to be IP based (but of course in that case masternode owners will not be total free to decide the type of their node, they will be relatively free within a boundary)
 
Last edited by a moderator:
I've had a second though on this, and, aside from the fact that I'd help implement whatever will be decided, I think it's quite paradox to have a protocol running on a public network which itself heavily relies on public information (IPs, routing, broadcasting, etc.) and then try to hide exactly this information from the network.

Possible? Yes.
Easy or straightforward? Certainly not.

You can drive your car from A to B and destroy all traffic cameras and innocent bystanders who might remember your license-plate and which highway you were driving on, but the obvious solution would be to not use your car and public roads. Just sayin' ...
 
I've had a second though on this, and, aside from the fact that I'd help implement whatever will be decided, I think it's quite paradox to have a protocol running on a public network which itself heavily relies on public information (IPs, routing, broadcasting, etc.) and then try to hide exactly this information from the network.

Possible? Yes.
Easy or straightforward? Certainly not.

You can drive your car from A to B and destroy all traffic cameras and innocent bystanders who might remember your license-plate and which highway you were driving on, but the obvious solution would be to not use your car and public roads. Just sayin' ...


This is not the real case, your case is wrongly presented.

The case is that you regularly use public roads, but just in case someone prohibits you to circulate, you must have some hidden roads as a backup. This is the reason why some anonymous masternodes are necessary to exist into the dash network, together with the IPbased nodes of course.

I think the best solution is to have a constant poll, and decide dynamically the percentage of the anonymous and IPbased masternodes. And according to this voted percentage, some masternodes (selected randomly) must be forced to change anonymity state in the runtime and become IPbased masternodes (and vice versa) having a reverse proxy functionality that points to the hidden network. The poll of course should be protected, decentralized and mirrored into all the anonymous section of the dash network.

It is very crucial to select randomly the IPbased and the anonymous masternodes in the runtime (according to the result of the appropriate poll that is always active, so that we can change the percentage of anonymous and IPbased masternodes in the runtime, according to the extend of the attack beeing made at the public dash network) because this randomness makes much more difficult the task of prohibiting the public dash network. The randomness can be calcutated using appropriate cryptographic protocols, among masternode owners.

For example, lets suppose that the current result of this supposed permanent poll is the below:

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *Yes, all MNs anonymized 15 vote(s) 37.5%
  2. Yes, but MNOs choose IP based or anonymous 13 vote(s) 32.5%
  3. No, all MNs should run on public IPs 12 vote(s) 30.0%
So we should have 37.5% of anonymous nodes, 32.5% free to choose by the MNO, and 30% IPbased nodes. The IPbased and the anonymous nodes should be selected by the protocol randomly according to the current vote result, and the lucky (or unlucky) MNOs should be forced (by the protocol) to respect the decision of the protocol.


I don't know of any good solution so far.
I gave a solution above, so what about it? What do you think?

UdjinM6, If you like my proposition, send me 0.00100000 dash here:

XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX

I would like my first duffs into my wallet to be send by you.
 
Last edited by a moderator:
...
I gave a solution above, so what about it? What do you think?
...
I think it won't work because even though at some point of a time only some % of MNs are IP-based but since selection is randomized it should actually cover all MNs in a period of time and every MN will be effectively de-anonymized after a while.
 
I think it won't work because even though at some point of a time only some % of MNs are IP-based but since selection is randomized it should actually cover all MNs in a period of time and every MN will be effectively de-anonymized after a while.

You are right. Especially for static IPs. I ll come back with another proposition.
Do you consider dynamic IPs also as non anonymous?
 
You are right. Especially for static IPs. I ll come back with another proposition.
Do you consider dynamic IPs also as non anonymous?
I doubt you can get dynamic IP for a VPS instance. And even if you could you can't just get IP you like - they are provided from (ISP provider's) pool of IPs afaik and IP is linked to the user at the time session is started so it easy to find out who is/was behind some IP at some point of a time imo.

Few more thoughts on the issue itself - you provide some billing info to pay for VPS you use to run MN and basically that's how MN operators are identified. Some services allow you to pay via crypto though and that can be considered a bit more anonymous way for MN operator already imo, we just need more of them to accept crypto to solve our issue ;)
 
I doubt you can get dynamic IP for a VPS instance. And even if you could you can't just get IP you like - they are provided from (ISP provider's) pool of IPs afaik and IP is linked to the user at the time session is started so it easy to find out who is/was behind some IP at some point of a time imo.

Ok. Dynamic IP is not anonymous also.

So I consider that as long as you are baptized by the protocol to become an anonymous master node, there is no return. You always remain anonymous and your IP should never be revealed, if you keep your desire to remain an anonymous one.

I consider this as cornerstone specification, for my next proposal that will follow.
 
This is not the real case, your case is wrongly presented.The case is that you regularly use public roads, but just in case someone prohibits you to circulate, you must have some hidden roads as a backup. This is the reason why some anonymous masternodes are necessary to exist into the dash network, together with the IPbased nodes of course.

No.
As long as you use public TCP/IP networks you don't have hidden roads. Socket = IP+port. No way around that.

Existing anonymization implementations put a blanket over your head while driving, or change your car and/or license plate often, or let someone else drive with her car and hope she tells no one, or use a different road each day, or put your car on a truck to take it to a different place, or disassembles you body parts and transports each arm, leg etc. on a different road, or all of these together.

Like I said, it certainly CAN be done this way, but it's paradox to do it so.
 
No.
As long as you use public TCP/IP networks you don't have hidden roads. Socket = IP+port. No way around that.

Existing anonymization implementations put a blanket over your head while driving, or change your car and/or license plate often, or let someone else drive with her car and hope she tells no one, or use a different road each day, or put your car on a truck to take it to a different place, or disassembles you body parts and transports each arm, leg etc. on a different road, or all of these together.

Like I said, it certainly CAN be done this way, but it's paradox to do it so.

No, you are presenting an inaccurate and confused case. Lets be accurate of what anonymous means.

Existing anonymization trip disassembles your car into several parts, it transports those parts into visible trucks (but opaque trucks so nobody can see what they carry inside) through public roads, but each truck follows a different public road. And then at the destination of the trip all trucks arrive not in the same time, they unload the part of your car they carry into your own room so nobody can see that part, and then you personally assemble the car.

This is the excact case of an anonymous trip. This is how anonymous drive their car.
 
Last edited by a moderator:
No, you are presenting a wrong, inaccurate and confused case.

Existing anonymization disassembles your car into several parts, it transports those parts into visible trucks (opaque trucks so nobody can see what they carry inside) through public roads, but each truck follows a different public road , and then at the end of the trip all trucks arrive not in the same time, they unload the part of your car they carry into the night so nobody can see it, they put those parts into your own room, and then you personally assemble the car.

This is the excact case of an anonymous trip.

Yeah, but it sounds better to say, "or disassembles you body parts and transports each arm, leg etc. on a different road". The most someone can find is one leg of the journey, which is completely armless
 
This is my revised proposition.

I think the best solution is to have a constant poll, and decide dynamically the percentage of the anonymous and IPbased masternodes. And according to this voted percentage, new masternodes (selected randomly) must be forced to become anonymous and other new masternodes must be forced to behave as reverse proxies to the hidden network. The poll of course should be protected, decentralized and mirrored into all the anonymous section of the dash network.

It is very crucial to select randomly the IPbased and the anonymous new masternodes (according to the result of the appropriate poll that is always active, so that we can change the percentage of anonymous and IPbased new masternodes , according to the extend of the attack beeing made at the public dash network) because this randomness makes much more difficult the task of prohibiting the public dash network. The randomness can be calcutated using appropriate cryptographic protocols, among masternode owners.

The old mastenodes, as long as they are baptized and randomly toοκ their anonymous state, they can remain (or even they are forced to remain) anonymous for ever.

For example, lets suppose that the current result of this supposed permanent poll is the below:

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *Yes, all MNs anonymized 15 vote(s) 37.5%
  2. Yes, but MNOs choose IP based or anonymous 13 vote(s) 32.5%
  3. No, all MNs should run on public IPs 12 vote(s) 30.0%
So we should have 37.5% of anonymous nodes, 32.5% free to choose by the MNO, and 30% IPbased nodes. The IPbased and the anonymous nodes should be selected by the protocol randomly according to the current vote result, and the new arriving lucky (or unlucky) MNOs should be forced (by the protocol) to respect the decision of the protocol.

In our currenct case 100% of the nodes are currently in public IPs, so all new arriving MN should be forced to become anonymous, until the precentage 37.5%-32.5%-30% is reached.



I gave a solution above, so what about it? What do you think?
 
This is my revised proposition.

I think the best solution is to have a constant poll, and decide dynamically the percentage of the anonymous and IPbased masternodes. And according to this voted percentage, new masternodes (selected randomly) must be forced to become anonymous and other new masternodes must be forced to behave as reverse proxies to the hidden network. The poll of course should be protected, decentralized and mirrored into all the anonymous section of the dash network.

It is very crucial to select randomly the IPbased and the anonymous new masternodes (according to the result of the appropriate poll that is always active, so that we can change the percentage of anonymous and IPbased new masternodes , according to the extend of the attack beeing made at the public dash network) because this randomness makes much more difficult the task of prohibiting the public dash network. The randomness can be calcutated using appropriate cryptographic protocols, among masternode owners.

The old mastenodes, as long as they are baptized and randomly taken their anonymous state, they can remain like that.

For example, lets suppose that the current result of this supposed permanent poll is the below:

Should we compel the core team to implement an anonymizing layer (i2p, tor etc)
  1. *Yes, all MNs anonymized 15 vote(s) 37.5%
  2. Yes, but MNOs choose IP based or anonymous 13 vote(s) 32.5%
  3. No, all MNs should run on public IPs 12 vote(s) 30.0%
So we should have 37.5% of anonymous nodes, 32.5% free to choose by the MNO, and 30% IPbased nodes. The IPbased and the anonymous nodes should be selected by the protocol randomly according to the current vote result, and the new arriving lucky (or unlucky) MNOs should be forced (by the protocol) to respect the decision of the protocol.



I gave a solution above, so what about it? What do you think?

I think part of the problem is that MNs on the hidden network will see noticeably lower returns, which is perfectly okay if it's a completely free choice but not going to work for those seeking a higher return. Some people, such as myself, would accept lower returns, but not everyone.

Whatever happens, I think the devs should maybe take a closer look at this issue because this sample poll, albeit very small, is suggesting that 70% of MNOs want some kind of improvement to anonymity. And maybe they should try to modify how Evolution utilizes IPs just in case a technical solution is found sometime in the future.
 
I think part of the problem is that MNs on the hidden network will see noticeably lower returns, which is perfectly okay if it's a completely free choice but not going to work for those seeking a higher return. Some people, such as myself, would accept lower returns, but not everyone.

Whatever happens, I think the devs should maybe take a closer look at this issue because this sample poll, albeit very small, is suggesting that 70% of MNOs want some kind of improvement to anonymity. And maybe they should try to modify how Evolution utilizes IPs just in case a technical solution is found sometime in the future.


I dont think this is a problem. Anonymous nodes could receive by the protocol some extra returns just for being anonymous. The percentage of the compensation for being anonymous could be defined in the protocol, or alternatively voted among the masternode onwners.
 
Back
Top